Virus Database

Yosha DOS viruses

Description Yosha DOS viruses

Yosha.745
It is not a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of EXE files that are executed. This virus deletes the anti-virus data files CHKLIST.MS, ANTI-VIR.DAT if they exist. The virus also creates the C:WIN.COM file and writes a program to there, this program only displays the message:
Windoze crashes your system.

The virus also contains the text strings:
Kein Mehrheit für die Mitleid
KMFDM by Yosha/DC

Yosha.975,980
These are dangerous memory resident encrypted parasitic stealth viruses. They hook INT 8, 21h and write themselves to the end of COM files that are executed or closed. While opening an infected file, or loading a file for debugging, the virus disinfects it. While deleting any file the virus also deletes the ANTI-VIR.DAT file, if it exists. On creating a file the virus searches for the MSCD000 file (Microsoft CD?) in the current directory, and if that file exist, the virus in some way manipulates with CD driver (ejects a disk?) and displays the message:
Give Yosha cold Mountain Dew!

By hooking INT 8 the virus keeps the INT 21h handler pointing to the virus code. The virus also contains the text:
[Dew-Bug] (C) 1996 Yosha/DC

Yosha.LT
It is a dangerous memory resident parasitic virus. It copies itself into Interrupt Vectors Table, hooks INT 21h and writes itself to the end of COM files on reading/writing to/from them. While infecting the virus uses quite complex way to access System Files Table and may corrupt the files. The virus contains the text string:
Malaria by Yosha/LT

Yosha.MDK
It is a very dangerous encrypted memory resident overwriting virus. It copies its TSR copy to the DOS data area, hooks INT 21h and overwrites files that are executed. Depending on the system timer the virus also erases random selected sector on disks. The virus contains the text strings:
Murder-Death-Kill by Yosha/tCS/DC

Yosha.Smegma
It is a harmless memory resident parasitic polymorphic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed, opened or accessed with Get/Set File Attribute DOS call. The virus does not manifest itself, it contains the text string:
[Smegma] by Yosha

Yosha.Stercor
It is not a dangerous memory resident companion stealth virus. It hooks INT 21h and infects .EXE files - it creates companion .COM files when .EXE files are accessed (executed, opened, renamed, deleted, accessed by Get/Set Attribute DOS call). Stealth: on FindFirst/Next DOS calls "skips" infected COM files. Depending on the system timer the virus manifest itself by a video effect. The virus contains the text string:
Stercor by Yosha[LT/RSA]

Yosha.Zadig
It is a harmless memory resident polymorphic virus. It hooks INT 21h and writes itself to the end of COM files that are executed. While infecting the virus writes the JMP_Virus instruction not to the file header, but into the middle of the file. To select address to write JMP_Virus code the virus loads file and traces it by using INT 1 hook.
The virus contains the text:
Zadig by Yosha[LT]

Check other viruses! Be aware! Use Antiviral Software

AT-Corp.363

Description AT-Corp.363

This is a harmless memory resident parasitic virus. It hooks INT 13h and writes itself into free space (cave) in EXE-header when such headers are accessed with INT 13h (the corresponding sectors are read/written via INT 13h). The length of the file does not grow while infecting.
The virus contains the text string:
(c) AT Corp. 1994

AT.Batalia3,Batalia4

Description AT.Batalia3,Batalia4

These are harmless nonmemory resident parasitic BAT viruses. They search for BAT files in the current directory, then infect them. While infecting a file the viruses run the ARJ archiver to the pack necessary files. If there is no ARJ.EXE file in PATH, the viruses fail to replicate themselves.
The viruses contain two parts of code and data. The first part (the header) contains DOS commands:
"Batalia3": "Batalia4":
@echo off @echo off
rem YYY rem BAT4
arj x %0 -g""bÑpß >nul arj x %0 >nul
ren p Int call i
call i del sg
ren Int a.bat del i.bat
echo on
@call a
@echo off
del i.bat
del a.bat
del BATalia3

The second part (the rest) is an ARJ archive. This archive contains the I.BAT file that is the main virus code and the additional files:
"Batalia3": P, BATALIA3
"Batalia4": SG

The SG and BATALIA3 files contain several additional batch commands. The P file contains original code of infected BAT file (in case of "Batalia3" virus).
So, any infected file contains the text strings (DOS commands) and the binary data (ARJ archive).
When executed, the virus runs the ARJ archiver, extracts the files I.BAT and SG and runs I.BAT. This batch file searches for not infected BAT files in the current directory and infects them.
While infecting, the "Batalia4" virus appends its code to the end of files and does not modify the original file contents. "Batalia3" saves original BAT file to ARJ archive (file P) and overwrites it. As a result the length of a file infected by "Batalia3" may be less than before infection.

Home